Okta Workflows is a powerful no-code automation platform for identity-centric processes. Many customers ask me how to find more opportunities to automate identity within their organizations. To address this need, this blog provides practical ways to engage across teams and personas to find identity automation scenarios that provide value. There are six different approaches, each serving as a lens through which you can identify these automation opportunities. There will be overlap in the use cases identified across the approaches - think of them as different paths leading to the same goal.  

1. Identity Lifecycle Management View for Joiner, Mover, Leaver processes

In every organization there are activities performed when an employee or contractor or partner is onboarded, job responsibilities evolve and then when they leave the organization. In customer identity scenarios, customer registration & onboarding and synchronization of identity data to downstream applications are a key area of focus. 

Example: For workforce identity, “Joiner-Mover-Leaver” processes there are different scenarios to manage - identity processes are different for an employee that leaves voluntarily compared with an employee that is taking a leave of absence or terminated as part of downsizing. In some cases there may be reasons to leave their accounts in place and only suspend access - usually referred to as a “Legal Hold”. There are also differences based on employee location, contractor status and department. 

These processes usually involve complex logic, are temporal (time-based), notifications and involve integration across applications and systems. A common scenario is to determine a unique email address and samAccountName for Active Directory. This involves uniqueness checks against multiple identity sources and targets. When an employee leaves, a common requirement is to wipe company data on a managed BYOD device. 

Value of example scenario: Some companies manage these processes primarily through tickets leading to significant manual effort and potential delays. With Okta Workflows these processes can be automated and limit the creation of tickets requiring manual tasks such as for offline, disconnected processes of preparing a laptop or managing an account in a disconnected application that has no technical integration interfaces. 

Tips to identify these use cases: Review the current implementation of Joiner-Mover-Leaver processes and use Okta Workflows to automate any processes dependent on tickets. Also use Okta workflows to create ITSM tickets reducing the burden of manual ticket creation.  

Finally, identify any sources of identities in any cloud-accessible system that may benefit from using Okta Workflows to import from applications categorized as “Anything as a source” where OIN or existing Okta-connectors do not apply. 

2. Security View

Okta Workflows enhances security and allows organizations to tailor responses to security events - for example, based on events logged in Okta syslog - “User Suspicious Activity Reported”, “Breached Password Detection” or multiple events that could be indicative of Account Takeover; Okta Workflows can help you take automated actions such as clearing application sessions and notifying relevant personnel in a timely manner. With Okta Identity Threat Protection, Okta can consume signals from Okta and third party security vendors to trigger workflows to augment any existing SOAR efforts. This reduces the effort required to filter out “false positives” and the time to deliver notifications and clear sessions in downstream apps.

Tips to identify these use cases: As a start, review this Okta security advisory and engage with your Security Operations team to identify areas for improvement. Trust but verify - Take the time to dig deeper in your conversations to truly verify that Okta syslog events are being tracked, the right folks are notified and actions are taken. You will, most likely, be surprised at security automation gaps that exist in your organization. 

Sample (subset) of available security templates are shown below: 

3. Help Desk View

Help desk personnel typically execute support activities with documented “run books”. These “run books” may include performing multiple identity-related operations in sequence for issue response and resolution. 

Example: In many organizations when a help desk receives a call they need to confirm the identity of the person calling in. This could involve a sequence of operations to send an Okta MFA request to the user and validate the user response.  

Value of example scenario: With a distributed workforce, many customers no longer have their employees interacting with their help desk with physical presence. To maintain security, the identity of the user needs to be verified before providing support services. Automating these run books that are related to identity allows help desk personnel to perform support activities consistently and efficiently. 

Tips to identify these cases: Discussion with help desk personnel on identity-related operations, reviewing the top identity security related support procedures and issues. 

4. Application View

Identity is the foundation of every application. Even with applications that are integrated with federation for Single Sign On, Universal Logout and provisioning there are other procedures performed by Application teams that are usually initiated by support tickets. 

Example: In many organizations when an employee leaves the organization a support ticket may be created for a Salesforce Administrator to move the leads assigned to the employee to their manager or for an Office 365 Administrator to modify the mailbox settings of the employee, or a Google administrator to migrate the google drive folder to the manager.  

Value of example scenario: Reliance on support tickets to perform time critical tasks during employee offboarding leads to urgent fire drills, risk of data loss and inconsistency. Okta Workflows reduce manual effort, enhance operational efficiencies and consistency.  

Tips to identify these use cases: Discussion with Application owners these identity-related operations found by reviewing application “high priority/urgent” tickets. 

5. Business Events View

During times of change such as Mergers & Acquisitions and Divestitures, Okta Workflows comes in as a handy automation platform to quickly deploy useful identity automations across applications and Identity providers. 

Example scenario: Creating guest users in Office 365 to ensure access across organizations. 

6. An Okta Product Technical View - Identity Orchestration

Okta Administrators are aware of their subscribed Okta SKUs. Mapping Okta SKUs to a technical platform services view helps identify end-to-end identity orchestration workflows that supplement Okta out-of-box capabilities across these services. Broadly you can think about Okta as providing identity services for

• Directory - identities are stored in Universal Directory
• Devices 
• Access services such as Pre- and post login Authentication, Authorization 
• Governance and Privilege Access related services such as Access Requests, Certifications, Service Accounts, Audit services 
• Integration services with applications and systems
• Security Posture services

With this view, think about Okta services generating events that Okta workflows can subscribe to, log entries that Okta workflows can consume and invoking the API to operate on these services. Okta Workflows is your secure identity orchestration layer. 

Example: Consider a scenario where an end user identifies a country they are traveling to for a short duration and limited access needs to be provided while on travel. In this example a change in the user profile attribute (events from the “Directory service”) can trigger the user being added to a group (“Directory service” API) that modifies access authentication policies. Personal Okta-registered devices associated with the user may be suspended during the duration of travel. Entitlements in “crown jewel” applications may be temporarily adjusted. In addition, an access request may be created for temporary access to travel related resources.

Value of example scenario: Automation of easily adapting access to location changes and reversing them after the travel dates can reduce manual effort to manage today's global mobile workforces while enhancing security. 

There are many scenarios where workflows extend Identity Threat Protection, Access Requests, triggers Access Certifications and extend to downstream systems on access certifications decisions, integrate Access Requests with ITSM and extend ISPM. Tips to identify these cases: Formulating the requirement as “When <this> happens, based on <conditional logic>, take <action1>, take <action2>” helps uncover these scenarios in your organization. 

Conclusion:

With Okta Workflows, you can enable teams to easily and securely automate their most complex identity problems. The value of automating identity processes is to enhance security, increase efficiency and reduce error rates by minimizing manual effort. As a final note, an innovative Okta customer, Kyocera-AVX, created a dashboard that mapped Okta Workflow process executions into $ of value continually showing senior management the business value of automating identity! 

By using the proven approaches described in this blog you will uncover numerous identity processes that can be automated and earn the title of “Identity Automation Security Rockstar” in your organization!

----

About the Author: Ajay Seetharam, CISSP, is a Certified Technical Architect at Okta and has been involved with customer adoption of Okta Workflows since 2019. His deep technical expertise spans Cloud IaaS, PaaS, SaaS, Security, Integration and Observability technologies. More recently, he has been engaged with customers as they explore AI for identity process automation with Okta Workflows.